CVE-2026-27945 – This CVE describes a Server-Side Request Forger... (How to Fix)

Q: What is the severity of CVE-2026-27945?

CVE-2026-27945 has a CVSS score of 6.5 (MEDIUM). This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in ZITADEL's Action V2 feature that allows attackers to make ZITADEL send requests to internal network endpoints. Organizations using ZITADEL versions 2.59.0 through 4.11.0 with Action V2 enabled are affected. The vulnerability could expose internal network information and services.

📋 TL;DR

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in ZITADEL's Action V2 feature that allows attackers to make ZITADEL send requests to internal network endpoints. Organizations using ZITADEL versions 2.59.0 through 4.11.0 with Action V2 enabled are affected. The vulnerability could expose internal network information and services.

💻 Affected Systems

Products:

ZITADEL

Versions: 2.59.0 through 4.11.0 (Action V2 feature enabled)

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with Action V2 feature enabled. Versions 2.x and 3.x had this feature in preview/beta stage. The vulnerability exists when Action target URLs can point to localhost or internal IP addresses.

📦 What is this software?

Zitadel by Zitadel

View all CVEs affecting Zitadel →

Zitadel by Zitadel

View all CVEs affecting Zitadel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Adversaries could map internal network topology, discover sensitive internal services, and potentially access restricted internal systems through ZITADEL's server context.

🟠

Likely Case

Attackers gather information about internal network structure, exposed services, and potentially access metadata services or internal APIs.

🟢

If Mitigated

Limited information disclosure about network structure with no access to actual service data due to ZITADEL's expected response schema requirements.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to configure ZITADEL Actions. The threat is reduced by ZITADEL's expected response schema requirements, but information disclosure is still possible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.11.1

Vendor Advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-7777-fhq9-592v

Restart Required: Yes

Instructions:

1. Upgrade ZITADEL to version 4.11.1 or later. 2. Restart ZITADEL services. 3. Verify the patch is applied by checking version and testing Action configurations.

🔧 Temporary Workarounds

Network Segmentation

linux

Implement network policies or firewall rules to prevent ZITADEL from accessing internal endpoints

# Example: iptables rule to restrict outbound connections from ZITADEL container/host
iptables -A OUTPUT -p tcp -m owner --uid-owner zitadel -d 127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 -j DROP

🧯 If You Can't Patch

Disable Action V2 feature entirely if not required
Implement strict network segmentation and firewall rules to block ZITADEL from accessing internal network ranges

🔍 How to Verify

Check if Vulnerable:

Check ZITADEL version and if Action V2 is enabled. Versions 2.59.0 to 4.11.0 with Action V2 are vulnerable.

Check Version:

zitadel version

Verify Fix Applied:

After upgrading to 4.11.1+, attempt to create an Action with localhost or internal IP target URL - it should be rejected.

📡 Detection & Monitoring

Log Indicators:

Failed Action executions with internal IP targets
Unusual outbound connections from ZITADEL to internal IP ranges

Network Indicators:

ZITADEL server making unexpected connections to internal IP addresses
HTTP requests from ZITADEL to metadata services or internal APIs

SIEM Query:

source="zitadel" AND (url="*localhost*" OR url="*127.*" OR url="*10.*" OR url="*192.168.*" OR url="*172.16.*")

📊 Metadata

CVE ID: CVE-2026-27945

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-918

Published: February 26, 2026

Last Updated: March 5, 2026

🔗 References

https://github.com/zitadel/zitadel/releases/tag/v3.4.7 Release Notes
https://github.com/zitadel/zitadel/releases/tag/v4.11.0 Release Notes
https://github.com/zitadel/zitadel/security/advisories/GHSA-7777-fhq9-592v Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27945, you might also want to check these: